Background and Relevant Art
Computer systems and related technology affect many aspects of society. Indeed, the computer system's ability to process information has transformed the way we live and work. Computer systems now commonly perform a host of tasks (e.g., word processing, scheduling, accounting, etc.) that prior to the advent of the computer system were performed manually. More recently, computer systems have been coupled to one another and to other electronic devices to form both wired and wireless computer networks over which the computer systems and other electronic devices can transfer electronic data. Accordingly, the performance of many computing tasks are distributed across a number of different computer systems and/or a number of different computing environments.
In many computing environments, a Rights Management System (“RMS”) is used to protect information. Information protection can include a provisioning process for each participating principal. The provisioning process consists of the authentication and identification of a principal, and the generation and storage cryptographic key for him/her. The principal's identification and cryptographic key are statically bound together as identity certificate. The identity certificate is signed by an information protection authority, making it tamper resistant. The identity certificate is distributed to the principal for publishing and consuming content. The identity certificate is often associated with policy enforcement software.
Information protection can also include publishing protected information. During the creation of protected information, a usage policy is specified. The usage policy describes a set of principals and the types of access they have. A usage policy typically includes a content key that is used to encrypt the protected information.
To obtain access to protected information, a recipient's identity certificate and the protected information's usage policy are submitted to an authorization server. The authorization server evaluates the identification information in the identity certificate against the usage policy to determine whether the recipient is authorized to access the content, what types of access the recipient has and under what conditions. If the recipient is granted to any permission, a usage license is issued. The cryptographic key inside of the identity certificate is used to encrypt the granted accesses and the content key encrypting the protected information.
The usage license is bound to the cryptographic key contained in the identity license on recipient side. The protected information is decrypted. The granted accesses and conditions are enforced.
One challenge for information protection systems is the ability for applications to be able to process protected content for usage scenarios, such as, for example, archival, hygiene, search, etc., that rely on an application to have rights to the content in addition to a user. Within an enterprise, this is facilitated by an administrator managing implicit rights for applications. However, when collaborating between enterprises the management of implicit rights becomes more difficult since there is often no trust defined between two enterprises.
Improperly managed implicit rights can result in feature impairment. For example, protected information cannot be easily exchanged between two or more organizations since administrators can choose to reject protected content. Rejecting content can impede the end-users ability to get their tasks completed.
Improperly managed implicit rights can also result in information disclosure. Typically when the recipient of the protected information is unable to view the content, for example, due to another application rejecting the content, the recipient requests an unprotected copy of the content. Use of an unprotected copy of content can lead to information disclosure whether by accident or intentionally. Information disclosure can have a substantial impact (financial, damaged imaged, etc.) to the owner of the content that should have been protected.